Although intY has traditionally been a provider of managed email/Internet protection services, the company has decided to provide an alternative offering for those who want caching, proxy and scanning services inside their organisation instead of using an external service. The ExoServer is a cute blue-and-orange desktop PC-sized security appliance that provides firewall protection for the corporate network along with a number of extra security-related extras. It is an all-in-one PC that seems to run on some Unix-like operating system; you can run it with a keyboard, mouse and monitor for console interaction, or you can leave it ‘headless’ and manage it remotely (and know what it’s doing via defined sequences of beeps). To get started, you connect a PC to the unit’s ‘internal’ network interface and point a Web browser at 10.0.1.1. You’re greeted with a basic front screen, which invites you (among other things) to administer the unit. Step one is to walk through the wizard that lets you set the IP addresses of the various network adaptors and turn on or off the built-in DHCP server (we turned ours off). Because we were using external DNS and no DHCP, the admin screen didn’t seem to work for a start – the link is to http://inty:8080/, and of course our Windows workstation didn’t know a machine ‘inty’ – but once we’d hinted how to find the machine, via a URL hack, everything was fine. The first thing I always do with a new unit is fetch any software updates from the vendor’s website. These are called ‘intYpaks’ and the download screen lists the packs that are (a) installed; (b) downloaded but not yet installed; and (c) available for download from the vendor website. It seems that you can only download one pack at once (when I started a second download it seemed to kill the first) but this is no real problem. It’s rather disconcerting that installing some packs requires, in the words of the user interface, ‘several reboots’, but at least it worked okay and everything was completely automatic. A nice inclusion is the ability to reverse out of a pack installation – so if an update happens to cause a problem, at least you can back out. Not stateful
The next step in our test was to configure the firewall – a simple packet-level filtering facility which, although functional, is extremely basic. You build a filter list in the usual way – defining ‘to’ and ‘from’ networks or individual hosts, and saying whether a particular protocol (and port, if appropriate) is permitted or banned for that combination of addresses. It’s clean and simple but lacks niceties such as pre-defined protocols (you have to know that SMTP is port 25, for instance, and if you have a protocol such as SMB that uses multiple ports, you have to have a set of separate rules). There also doesn’t seem to be any context-sensitive ‘stateful inspection’ type stuff in there, which is a drawback in today’s market. The email server is full of functionality and seems to do everything we could think we wanted it to. It can act as a basic relay or a fully-intelligent mailer and lets you handle multiple domains on a single server. SMTP authentication is included (a must if you have remote users without VPN connections relaying off the mail server). There’s a shared global address book and there’s even a neat little monitoring tool that lets you monitor all incoming and/or outgoing mail. It would be nice, though, if you could choose to monitor only a certain user’s email, or mail to/from a given domain, instead of the administrator getting a mailbox full of everything. As well as acting as an SMTP server, the mail server will also pull mail in from an external mail server (which is useful if you don’t have a static IP address and so you can’t have your mail coming in directly). It works with IMAP and POP, and also supports the ETRN (reverse-SMTP) command for remote SMTP servers. IMAP and POP mail can be delivered into a single mailbox or split among users’ mailboxes if the server the other end supports an appropriate ‘multidrop’ message header. There’s a webmail client as well, for users on the move who can’t be bothered to start up their laptops. The web functionality of the system incorporates a built-in ‘intranet’ web server and the ability to be a proxy/cache for internal users accessing outside servers. It can also replicate locally-held web pages to your live, external website if desired. Files are placed on the intranet server via a simple Windows file share – the unit can become a member of a Windows domain or workgroup and so it’ll appear just like any normal fileserver to those users that have access. Which brings us on to users. The user definition wizard is surprisingly involved, although this isn’t really a complaint because it does walk you through all the stuff you need to do. So you have the usual user ID, full name and password (it’ll automatically choose a secure, but completely hard-to-remember one, if you wish), email aliases, group memberships (including whether or not the user is a system manager, a web editor or a PPTP VPN user), and what Internet access they have (that is, both what sites they can get to and when they can get there). Although the wizard’s a bit of a fiddle, there’s an import tool that lets you define everything outside the wizard and then just bulk-load the results into the ExoServer. For those of you who want the thing to integrate with your Windows user database, you can do it but apparently only if you install an ‘intY ExoServer update service’ on the domain controller, to allow user details to be automatically forwarded to the ExoServer box itself. The Internet access control we mentioned is useful, though nothing you won’t see in any other access control package. You can define time periods (e.g. ‘Weekday lunchtimes’), each of which has a set of 24 one-hour slots for each day that can be turned on or off. These time definitions form part of ‘access plans’, in which you can define what Web and incoming/outgoing services are permitted ‘in hours’ and ‘out of hours’. Website filtering uses the widely-adopted N2H2 mechanism, though you’ll need to have that option enabled on the unit before you can use it. You can also include traffic types in your plans, many of which are listed in a friendly selection of ‘services’ (SMTP, POP, etc) just like the one we’ve already said was missing from the firewall component of the unit. Logging and diagnostics are acceptable. There are plenty of system logs (albeit fairly low-level Unix-style log files), although the one omission we found when our PPTP connection was playing up was a PPTP-specific one. The overall system configuration is maintained automatically from IntY’s server. Their NTP time server keeps the box’s clock correct and each unit checks over the Net, from time to time, to see if new features have been purchased, and authorises them appropriately. This strong connection with the vendor disturbs me a little, not least because I saw a ‘root login accepted’ in the log file that leads me to believe intY’s guys are able to do what they want on your box, but the unit is no different from other appliances of this sort, whose ‘root’ passwords are known only to the vendor. VPN support is extensive and one of the best we’ve seen, configuration-wise. The IPSec stuff is typically cryptic, simply because IPSec uses horrid, long, unintelligible keys, but to get basic PPTP dial-in for Windows clients is an absolute breeze. The only issue we had was when we set up the first PPTP connection - it wouldn’t work at all. But we hit the ‘restart networking’ button in the management screen, the system reinitialised the network settings, and everything was sweetness and light. PPTP client connections can be restricted to a particular set of IP addresses or networks if you know your clients will always be in a given IP range, but if not it’s happy to accept connections from anywhere. Enabling a user for PPTP is simply a case of dropping them into the right group – you won’t find simpler. The ExoServer is an interesting unit but personally I would think twice before buying one. Apart from the annoying multi-reboot syndrome with update installations, and the fact that integration with (say) Active Directory ought to be more complete, the main problem is the basic firewalling. This just isn’t quite good enough, in my opinion, although to be fair it's mainly a GUI issue rather than a functionality one. The problem is this: if I were to buy this unit, I’d have to use it with a separate firewall, not instead of one. But unless I had a SoHo installation with an entry-level firewall, the firewall may well give me some of the other functionality, such as time restrictions on connections, VPN server capabilities, and so on. Thus it reduces the number of things I’d need the ExoServer for and makes me think about simply going out and buying software packages for the extra bits. Then there’s that security thing – I get nervous when vendors can remotely log in to my server, even if I can see them. Conclusion
On balance, though, I do quite fancy this box for a ‘smallish company’ market. The basic unit doesn’t have some of the features turned on (notably N2H2 and VPN) but they’re there and can be turned on at a moment’s notice. The documentation (a 315-page PDF) is excellent and explains a lot of complicated technologies in a way that non-experts will understand and the basic functionality is implemented well, aside from the packet-filtering firewall components. I suspect small organisations would be justified in combining an ExoServer with a low-end firewall (a SonicWall, a ZyWall-10 or a NetScreen-5) to give an excellent feature set, but that larger companies would probably go for a higher-end firewall and software-based packages for extras such as URL blocking.

OUR VERDICT

In a device like this, you’re looking to see whether the extras it offers, over what you already have, are good value compared with buying a separate package that has those extras. Also, beware that many devices of this kind are cheap in their basic form but require chargeable add-ons for some features to work.